I've just met Mallory!

April
28th,
2013

Mallory!?

Ok, I have to admit that I recently realized, such a tool named Mallory exists. So much so that I even started to develop mitmproxy4j to intercept SSL traffic.

It was obvious that every tester needs such a tool to intercept applications’ traffic to see what is going on over network. You may think that you can accomplish this by using a few iptables command and writing a tool to intercept and redirect traffic, but doing so for every application you want to examine, can be tedious and frustrating.

So Intrepidus Group did a great job to develop Mallory. Formally, Mallory is a transparent TCP&UDP proxy that is able to intercept any traffic over TCP and UDP. HTTP, HTTPS, DNS and SSH are some of them. Also its transparency allows tester to use it without any special configuration on client side. That means you can use it on your mobile phone by using built-in configuration options.

Enough said, lets setup our Mallory!

Mallory needs to live on a gateway, so first of all, you need a machine to operate as a gateway for clients those we want to intercept their traffic. So I installed Ubuntu 12.04 LTS on a virtual machine with a bridge network.(Also there is a vm torrent link on their bitbucket address but I didn’t manage to download it because lack of seeders nowadays.)

I have Python 2.7.3 installed on Ubuntu. Also there is a bunch of packets to be installed in order to use Mallory. Run these commands:

You have installed Mallory and it is ready to launch. But first we need an another interface for incoming connections.(Remember Mallory lives on gateway and gateways have at least two interfaces.(LAN/WAN)).

PPTP Interface

As a second interface, we will use Point-to-Point Tunnelling Protocol(PPTP). So we need to install a “pptpd” server.

sudo apt-get install pptpd

Now some configuration is needed to get PPTPD up and running.

sudo gedit /etc/ppp/chap-secrets

Edit this file like this: here “vpnuser” and “123456” are the username and password respectively that clients will use to connect PPTP server.

In interfaces tab, you should see something like this. Here eth0 and ppp0 will be outgoing interface and inteface to be mitm-ed, respectively.

If you click “Apply Configuration” at this point, you can see traffic flowing at streams tab.(Assuming no protocol is selected and only “Debug All” rule exists). But it is raw data that is no stripping done on it.

So, if you want to strip SSL on, let’s say, 5228 port, you need to define a protocol at Protocols tab like this:

ssl_1: sslproto.SSLProtocol:5228

*Be warned! I think there is a misconception about debuggability of defined protocols that, I couldn’t see protocol-enabled traffic at streams tab. But “Db View” section under Advanced tab can always be used for listing streams.
*

Do you have any last words?

As I said, Mallory is a great tool. But it needs some contribution about feature-adding and bug-solving. I think it’s authors don’t have time nowadays. I’ll see what I can do ;)